From 3c444309793327e28bd7bd61d4721c0b16be28bb Mon Sep 17 00:00:00 2001
From: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
Date: Mon, 15 Dec 2025 13:52:34 -0600
Subject: [PATCH] [PM-29161] Remove ReturnErrorOnExistingKeypair feature flag
 (#6726)

* Remove feature flag

* Add unit test coverage
---
 .../Auth/Controllers/AccountsController.cs    |  7 +---
 src/Core/Constants.cs                         |  1 -
 .../Controllers/AccountsControllerTests.cs    | 37 +++++++++++++++++--
 3 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/src/Api/Auth/Controllers/AccountsController.cs b/src/Api/Auth/Controllers/AccountsController.cs
index 38981b7a2d..839d00f7a1 100644
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@@ -436,12 +436,9 @@ public class AccountsController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        if (_featureService.IsEnabled(FeatureFlagKeys.ReturnErrorOnExistingKeypair))
+        if (!string.IsNullOrWhiteSpace(user.PrivateKey) || !string.IsNullOrWhiteSpace(user.PublicKey))
         {
-            if (!string.IsNullOrWhiteSpace(user.PrivateKey) || !string.IsNullOrWhiteSpace(user.PublicKey))
-            {
-                throw new BadRequestException("User has existing keypair");
-            }
+            throw new BadRequestException("User has existing keypair");
         }
 
         if (model.AccountKeys != null)
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 3d9f2cca87..cf3f40ec80 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -198,7 +198,6 @@ public static class FeatureFlagKeys
     public const string PM28265_ReconcileAdditionalStorageJobEnableLiveMode = "pm-28265-reconcile-additional-storage-job-enable-live-mode";
 
     /* Key Management Team */
-    public const string ReturnErrorOnExistingKeypair = "return-error-on-existing-keypair";
     public const string PrivateKeyRegeneration = "pm-12241-private-key-regeneration";
     public const string Argon2Default = "argon2-default";
     public const string SSHKeyItemVaultItem = "ssh-key-vault-item";
diff --git a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
index 5a8497a73e..300a4d823d 100644
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@@ -692,6 +692,37 @@ public class AccountsControllerTests : IDisposable
         await _sut.PostKdf(model);
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task PostKeys_NoUser_Errors(KeysRequestModel model)
+    {
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult<User>(null));
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(() => _sut.PostKeys(model));
+    }
+
+    [Theory]
+    [BitAutoData("existing", "existing")]
+    [BitAutoData((string)null, "existing")]
+    [BitAutoData("", "existing")]
+    [BitAutoData(" ", "existing")]
+    [BitAutoData("existing", null)]
+    [BitAutoData("existing", "")]
+    [BitAutoData("existing", " ")]
+    public async Task PostKeys_UserAlreadyHasKeys_Errors(string? existingPrivateKey, string? existingPublicKey,
+        KeysRequestModel model)
+    {
+        var user = GenerateExampleUser();
+        user.PrivateKey = existingPrivateKey;
+        user.PublicKey = existingPublicKey;
+        _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(Task.FromResult(user));
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostKeys(model));
+
+        Assert.NotNull(exception.Message);
+        Assert.Contains("User has existing keypair", exception.Message);
+    }
+
     // Below are helper functions that currently belong to this
     // test class, but ultimately may need to be split out into
     // something greater in order to share common test steps with
@@ -749,8 +780,8 @@ public class AccountsControllerTests : IDisposable
         KeysRequestModel model)
     {
         // Arrange
-        user.PublicKey = "public-key";
-        user.PrivateKey = "encrypted-private-key";
+        user.PublicKey = null;
+        user.PrivateKey = null;
         model.AccountKeys = new AccountKeysRequestModel
         {
             UserKeyEncryptedAccountPrivateKey = "wrapped-private-key",
@@ -775,7 +806,6 @@ public class AccountsControllerTests : IDisposable
         };
 
         _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
-        _featureService.IsEnabled(Bit.Core.FeatureFlagKeys.ReturnErrorOnExistingKeypair).Returns(false);
 
         // Act
         var result = await _sut.PostKeys(model);
@@ -802,7 +832,6 @@ public class AccountsControllerTests : IDisposable
         model.EncryptedPrivateKey = "encrypted-private-key";
 
         _userService.GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).Returns(user);
-        _featureService.IsEnabled(Bit.Core.FeatureFlagKeys.ReturnErrorOnExistingKeypair).Returns(false);
 
         // Act
         var result = await _sut.PostKeys(model);